What are we doing with all the characters that get shoved into our applications? Have we considered every potential execution context? It’s often interesting and surprising to see what sort of concoction of characters can be executed in different places… and linking multiple attack vectors together which the builders haven’t thought about. What are we trusting? Why are we trusting it? What, where and how should we be sanitising?
We have a vast collection of libraries, techniques, cheat sheets, tutorials, guides and tools at our disposal. I often find myself thinking… how can we commoditise the sanitisation of user input and I keep coming up with the same answer. It’s not easy. Every application has a completely different set of concerns.
In order for our software to be shielded from an attack, the builders must think like attackers.
In this talk I’ll attempt to: